38 lines
1.0 KiB
Bash
38 lines
1.0 KiB
Bash
#!/usr/bin/env bash
|
|
# Compare a KV secret between two Vault clusters (works for KV v1 and v2)
|
|
# Usage: ./vault-secret-diff.sh secret/path
|
|
|
|
set -euo pipefail
|
|
|
|
# --- Vault cluster configuration ---
|
|
VAULT_ADDR_1="https://vault-cluster1.example.com"
|
|
VAULT_TOKEN_1="token_for_cluster1"
|
|
|
|
VAULT_ADDR_2="https://vault-cluster2.example.com"
|
|
VAULT_TOKEN_2="token_for_cluster2"
|
|
|
|
if [ $# -ne 1 ]; then
|
|
echo "Usage: $0 secret/path"
|
|
exit 1
|
|
fi
|
|
|
|
SECRET_PATH="$1"
|
|
|
|
# --- Get secret from both clusters ---
|
|
VAULT_ADDR="$VAULT_ADDR_1" VAULT_TOKEN="$VAULT_TOKEN_1" \
|
|
vault kv get -format=json "$SECRET_PATH" > /tmp/vault1.json
|
|
|
|
VAULT_ADDR="$VAULT_ADDR_2" VAULT_TOKEN="$VAULT_TOKEN_2" \
|
|
vault kv get -format=json "$SECRET_PATH" > /tmp/vault2.json
|
|
|
|
# --- Normalize JSON for reliable diff ---
|
|
jq -S . /tmp/vault1.json > /tmp/vault1_sorted.json
|
|
jq -S . /tmp/vault2.json > /tmp/vault2_sorted.json
|
|
|
|
# --- Compare ---
|
|
if diff -u /tmp/vault1_sorted.json /tmp/vault2_sorted.json; then
|
|
echo "Secrets match"
|
|
else
|
|
echo "Secrets differ"
|
|
fi
|